Full Report
Stop the noise and scale your cloud security. Our latest updates introduce custom policy automation via Explorer, AWS ABAC support for true least privilege, and research-backed protection against critical vulnerabilities, all designed to slash MTTR without disrupting your DevOps workflows.Key takeawaysAutomated governance via Explorer: Harness the power of Tenable’s unified data model, transforming any query into a permanent security policy or a scheduled report across all entities, such as resources, findings and vulnerabilities, with custom interval scheduling. Research-driven intelligence: New insights from Tenable Research feature the discovery of novel critical vulnerabilities in Google Looker Studio and Google Looker, and a deep-dive into a recently identified malicious third-party npm package. True least privilege via ABAC: Support for AWS ABAC ensures precision in permission evaluations — a critical requirement for securing the 18% of organizations with overprivileged IAM roles that AWS AI services can instantly assume. Streamlined vulnerability patching: Tenable's unique plugin name and ID information is now integrated into vulnerability and workload profiles, eliminating manual research for DevOps teams.Cloud security often generates more “noise" than insight. The goal for the security team is to close the gap between discovery of vulnerabilities/misconfigurations and their actual remediation — all without disrupting DevOps workflows.The latest updates to Tenable Cloud Security are focused on that exact mission: providing the precision needed to silence the noise and the automation required to scale – and quickly. From flexible custom policies and query-based reporting to granular IAM visibility, we’re making it easier to manage your cloud security posture across complex, multi-cloud environments. Using Tenable advances your maturity by shifting the focus from managing individual findings to understanding functional resilience. Governance and automation: The power of our ExplorerWe have enhanced the recently introduced Explorer capability to allow you to turn multi-cloud risk analysis insights into automated governance and scheduled intelligence.Custom policy creation from queriesUse the Explorer query builder to create custom policies, baking your internal business logic directly into the platform. If you can query it, you can police it—for example, tracking publicly exposed EC2 instances with a "Sensitive" tag. You can set findings at your preferred severity level, ensuring your dashboard reflects your organization's actual risk priorities. Additionally, you can now add free-text remediation instructions to any policy to align with your organization’s specific practices.Bottom line: Effortlessly transform ad-hoc searches into permanent, automated security monitoring that triggers exactly when and how you need it. Transform queries into standing custom policies in one click using the Explorer query builder and customize the remediation steps for improved governanceAutomated reports from queriesExplorer, based on our unified data model, generates reports based on queries of all entities, including cloud resources, finding types, and vulnerability instances. You can use a redesigned, full-screen reporting experience with live data previews and local time zone support. New custom-interval scheduling gives you total control, such as scheduling a report for every Monday and Wednesday at 9:00 AM.Bottom line: Provides a consistent, automated pulse on your cloud security posture, delivering tailored insights to stakeholders on a regular cadence via our report delivery method. Generate reports based on detailed Explorer queries, and schedule them for delivery at customized intervalsResearch spotlight: Protection against emerging cloud threatsA cloud security platform is only as good as its intelligence. Tenable Research continues to lead the industry in identifying critical cloud service and supply chain vulnerabilities.Uncovering vulnerabilities in Google Looker Studio and Google LookerOur researchers recently discovered and responsibly disclosed significant novel vulnerabilities in both Google Looker Studio and Google Looker. The “LeakerLooker” discovery identified nine cross-tenant vulnerabilities that could have let attackers exfiltrate or modify data across Google services. The “LookOut” discovery identified remote code execution (RCE) and unauthorized internal access risks that could have allowed an attacker to completely compromise a Looker instance. These discoveries reflect how, working behind the scenes, Tenable offers proactive protection to help secure an organization’s broader cloud ecosystem.Neutralizing supply chain attacksThe threat often enters through the code itself. Tenable Research recently provided a deep-dive analysis of "ambar-src," a malicious npm package designed to mimic popular legitimate libraries to infect developer systems. This is critical as research shows 86% of organizations host third-party code packages with critical-severity vulnerabilities.Bottom line: When you use Tenable Cloud Security, you are backed by the same elite research team that discovered these Looker and npm threats, ensuring protection against modern, sophisticated attack vectors.Workload protection (CWPP): Slashing mean-time-to-remediationThe gap between security and DevOps is often manual research. When security tools lack clear fixes, remediation stalls, and the risk window stays open. In fact, we recently found that 82% of organizations run cloud workloads with known, exploited, critical CVEs – leaving environments highly vulnerable to automated exploitation – a growing threat in this AI era.Remediation patches and Tenable plugin IDsTo bridge this divide we integrated Tenable plugin IDs directly into vulnerability tables and workload profiles – that is, the remediation workflow. With vulnerabilities now mapped to specific plugin names and IDs, teams can instantly identify the exact software versions required to resolve security gaps across VMs and container images. Integrated metadata, including Vulnerability Priority Ratings (VPR) and discovery timestamps, allows teams to move past "severity" and focus on the actual risk impact to the business. DevOps get the exact patch name they need, removing manual research and "back-and-forth" communication between security and engineering.Bottom line: Greatly reduces mean-time-to-remediation (MTTR) by providing actionable data at the point of discovery, aligning security goals with developer velocity.Cloud identity and entitlement management (CIEM): Achieving least privilege with permissions granularityIdentity is the new perimeter, but managing it at scale is difficult. Indeed our recent risk report found this is becoming increasingly critical for AI-related identities, with 18% of organizations having overprivileged IAM roles that AWS AI services can instantly assume.AWS ABAC support and granular visibilityWe’ve upgraded permission evaluations to support AWS attribute-based access control (ABAC) and added a dedicated access level section to resource profiles. This replaces generic summaries with a detailed breakdown of permission categories, providing a highly accurate view of your identity landscape.Bottom line: Achieve true least privilege by accounting for attribute-based access, ensuring your permission recommendations are as precise as your AWS environment.Strategic operations: Scale and precisionData security: Precision classificationEnhance data discovery by using Regex to exclude known or irrelevant values. This ensures data security findings focus on the specific sensitive information while filtering out irrelevant data matches.Bottom line: Ensures your team only spends time on genuine data exposure risks, increasing operational efficiency.GraphQL API and centralized exclusionsManage high-volume environments programmatically with new GraphQL API support for Projects, allowing you to create or modify role assignments directly within your DevOps workflows. Our new centralized exclusions framework allows you to define business scenarios to ignore non-actionable findings using flexible tags, creating a single, auditable source of truth for all exceptions.Bottom line: Streamlines security governance for large-scale environments by automating project management and centralizing risk handling.Frequently Asked QuestionsQ: How do custom policies differ from the built-in policies in Tenable Cloud Security? A: While built-in policies cover industry standards, custom policies allow you to use the Explorer query builder to create rules specific to your environment and assign the severity levels that reflect your organization’s risk appetite.Q: Why is the support for AWS ABAC a significant update for identity security? A: Most tools evaluate only static IAM policies, but modern permissions are often granted based on attributes (tags). We support AWS ABAC to provide the precision needed for true least privilege without disrupting developer workflows.Q: Why is using the Tenable One Exposure Management Platform important for my cloud strategy?A: It shifts the focus from "finding bugs" to "managing risk" in full context across your hybrid environment. Tenable One’s cloud security capabilities integrate vulnerabilities, identities, network, and data into a single view, allowing you to see how an attacker could move through your environment.Learn more:Tenable Cloud and AI Security Risk ReportTenable Cloud SecurityWhat to Fix First demo
Analysis Summary
# Industry News: Tenable Enhances Cloud Security Platform with Automated Governance and AWS ABAC Support
## Summary
Tenable has announced a significant suite of updates to its Cloud Security platform, focusing on reducing "security noise" through automated governance and granular identity controls. Key enhancements include a query-based policy engine, support for AWS Attribute-Based Access Control (ABAC), and integrated remediation intelligence to accelerate vulnerability patching in DevOps workflows.
## Key Details
- **Date:** May 2024 (Implicit based on report references)
- **Companies Involved:** Tenable, Amazon Web Services (AWS), Google (as research subject)
- **Category:** Product Update / Cloud Native Application Protection Platform (CNAPP)
## The Story
In an era where cloud environments generate an overwhelming volume of alerts, Tenable is pivoting toward "functional resilience" rather than just discovery. The core of this update is the **Explorer** capability, which allows security teams to transform any data query into a permanent, automated security policy. This enables organizations to bake internal business logic—rather than just generic industry standards—directly into their monitoring.
Simultaneously, Tenable is addressing the "Identity is the New Perimeter" challenge by supporting **AWS ABAC**. This move allows for more precise permission evaluations based on tags (attributes) rather than static policies, targeting the 18% of organizations with overprivileged roles that AI services can exploit. To bridge the gap between security and engineering, Tenable has also integrated its proprietary Plugin IDs and remediation metadata directly into developer-facing tables, aiming to slash the Mean Time to Remediation (MTTR) by removing manual research.
## Business Impact
### For the Companies Involved
- **Tenable:** Solidifies its position in the competitive CNAPP market by moving beyond "vulnerability scanning" into "exposure management" and governance.
- **AWS:** Benefit from a stronger shared responsibility model as Tenable provides the tooling to manage complex AWS-native features like ABAC.
### For Competitors
- Competitors (Wiz, Palo Alto Networks, Orca) face pressure to match Tenable’s deep research integration and the flexibility of its "query-to-policy" automation.
### For Customers
- End users benefit from reduced friction between security and DevOps teams. The ability to automate reports and customize remediation instructions means security becomes a business enabler rather than a bottleneck.
### For the Market
- This signals a trend toward **integrated intelligence**. A cloud security platform is no longer just a dashboard; it is increasingly expected to include original research (like the Looker and npm discoveries) to stay ahead of novel attack vectors.
## Technical Implications
- **AWS ABAC Integration:** Moves identification from static IAM analysis to dynamic, attribute-based evaluation.
- **GraphQL API Support:** Allows for "Security as Code" where project management and role assignments can be automated via CI/CD pipelines.
- **Unified Data Model:** Consolidates cloud resources, identities, and vulnerabilities into a single queryable schema.
## Strategic Analysis
- **Market Positioning:** Tenable is positioning itself as the bridge between legacy vulnerability management and modern cloud-native protection, leveraging its **Tenable One** platform to provide "full context."
- **Competitive Advantage:** The integration of the Tenable Research team's discovery of high-profile vulnerabilities (e.g., "LeakerLooker") provides a "credibility moat" that pure-play software startups lack.
- **Challenges:** The effectiveness of these tools relies on the organizational maturity of the customer; hyper-customization via Explorer requires a sophisticated understanding of one's own risk profile.
## Industry Reactions
- **Analyst Perspective:** The move toward slashing MTTR is seen as a direct response to the "AI Era," where attackers can exploit known critical CVEs faster than humans can manually research fixes.
- **Expert Commentary:** Highlighting the npm "ambar-src" analysis emphasizes the growing industry focus on **Software Supply Chain Security**.
## Future Outlook
- Expect Tenable to continue expanding its AI-focused security capabilities, particularly regarding "AI-related identities" which are frequently overprivileged.
- Further consolidation of the "Exposure Management" category is likely, as platform-wide visibility becomes more valuable than siloed cloud tools.
## For Security Professionals
Practitioners should look to the **Explorer** tool to automate their most repetitive manual audits. The integration of Tenable Plugin IDs into remediation workflows is a specific "quick win" for teams looking to improve their relationship with DevOps by providing actionable, version-specific patch data.